Asked by:
SSO for O365 works for IE 11, but not Chrome version 63

Question
-
Hi,
We have ADFS 2012 R2 in place. If I clear down cookies and make sure I'm logged out of O365, reboot and then login to "portal.office.com" and "contoso.sharepoint.com", IE automatically logs me in, but Chrome prompts for a username to be picked. Once I pick the username or enter "mark@contoso.com" I'm automatically directed to ADFS and login straight away (Chrome doesn't need a password, it grabs it from Windows).
How can we get Chrome to work with SSO?
IE settings:
local intranet zone has "https://portal.office.com" and "https://contoso.sharepoint.com"
User authentication\Logon set to "Automatic logon only in the intranet zone"ADFS settings:
PS C:\> Get-AdfsGlobalAuthenticationPolicy
AdditionalAuthenticationProvider : {}
DeviceAuthenticationEnabled : False
PrimaryIntranetAuthenticationProvider : {FormsAuthentication, WindowsAuthentication}
PrimaryExtranetAuthenticationProvider : {FormsAuthentication}
WindowsIntegratedFallbackEnabled : True PS C:\> Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
Mozilla/5.0
Edge/12
PS C:\>
IT Support/Everything
Wednesday, September 19, 2018 2:21 PM
All replies
-
What version of Chrome are you using?
Have you verified which User Agent that version of Chrome uses?Friday, September 21, 2018 8:47 AM -
Chrome version 63.0.3239.108
I think I need to add Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”) as mentioned below
Presumably I can remove the string by using - "Chrome)
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia
Will test when I get some time.
IT Support/Everything
Friday, September 21, 2018 11:34 AM -
Run the command Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Mozilla/5.0"
The only caution I would add that if you do not use the "expand" and use just Set-AdfsProperties -WIASupportedUserAgents with just "Chrome" then you will only have that browser enabled and lose all the others. It is an accretive command!
Friday, September 21, 2018 8:42 PM -
Thanks, I'll be sure to use the expand. We've got our ADFS servers WID load balanced, so I'll power off and snapshot the primary beforehand just in case I need another roll back...
Is "+ "Mozilla/5.0"" needed? It's already listed,
IT Support/Everything
- Edited by Aetius2012 Monday, September 24, 2018 10:27 AM .
Monday, September 24, 2018 10:25 AM -
Sorry - I missed that is was there already. Not needed!Wednesday, September 26, 2018 3:19 PM
-
I managed to test this yesterday, unfortunately, adding Chrome didn't work as mentioned
I used their recommended string, as well as trying the code below.
#Use an array list, as it's dynamic, arrays are fixed size
[System.Collections.ArrayList]$UserAgents = Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
$UserAgents.add("chrome")
# Use line below to roll back
# $UserAgents.Remove("chrome")
Set-ADFSProperties -WIASupportedUserAgents $UserAgents
Restarted ADFS services, but Chrome still wouldn't perform SSO (WindowsIntegratedFallbackEnabled is true)
Looking at the browser string from whoishostingthis my browser is reported as below. Do I need to add the entire string in and what happens if the next version of Chrome comes out?
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
Thanks
IT Support/Everything
Friday, September 28, 2018 9:43 AM